Today we released Kentor.AuthServices 0.18.1. It contains a number of bug fixes, but also a couple of breaking changes to a mostly internal API and logout handling.
You are affected if…
- you build a
HttpRequestDatayourself, instead of using a build in
- you are using Single Logout and…
- you have a
- you manually create a
- you filter out claims that are persisted
- you have a
Most users should not be affected, but if you match any of the above please read on.
HttpRequestData now contains
The logout implementation in
LogoutCommand needs to access the current user. It used to do that by access
ClaimsPrincipal.Current. When working on the upcoming ASP.NET Core middleware we found out that
ClaimsPrincipal.Current is not set in that environment. It is also an issue for anyone having a custom session handling that want to integrate with the low level API and call the command classes directly.
The existing extension methods
ToHttpRequestData() have been updated to include the user. It is only if those are not used, or if a non standard session storage is used that this affects you.
Logout Name Identifier Handling
SAML2 is different to other federation protocols in that it includes the identity and session id of the logged in user session in the logout messages. This means that AuthServices needs to preserve the original name identifer, including some optional properties, and the session id. AuthServices used to do that by relying on the
ClaimTypes.NameIdentifier claim with
AuthServicesClaimTypes.NameIdentifier as a fallback if the original Name Identifier cannot be used in the application. From this release this has been changed and the
ClaimTypes.NameIdentifier claim is now mandatory.
If you have a
ClaimsAuthenticationManager and are using single logout, you have to make sure that the
AuthServicesClaimTypes.SessionIndex is included in the returned identity.
If you previously created an
AuthServicesClaimTypes.LogoutNameIdentifier by copying the
ClaimTypes.NameIdentifier claim you have to remove it. The
AuthServicesClaimTypes.LogoutNameIdentifier now has a more complex format that you shouldn’t try to create yourself. Carry the one included in the original identity forward instead.